| 1 |
Hi everyone, |
| 2 |
|
| 3 |
I've been doing some experimental work with PaX enabled kernels and I |
| 4 |
wanted to share it with the community at large for feedback. |
| 5 |
|
| 6 |
Motivation: There are two (soon three) ways of doing PaX markings so |
| 7 |
that a PaX enabled kernel knows what restrictions to put on the running |
| 8 |
process. These are: |
| 9 |
|
| 10 |
1) EI_PAX markings. This puts the pax flags in the ELF header in bytes |
| 11 |
14 and 15 of the e_ident[] field. This was a "hijacked" area and is now |
| 12 |
broken. [1] |
| 13 |
|
| 14 |
2) PT_PAX markings. This puts the flags in an ELF program header. On |
| 15 |
Gentoo systems, all binaries are compiled with a PT_PAX header ready to |
| 16 |
go because of a patch against binutils [2]. The problem is precompiled |
| 17 |
binaries which lack a PT_PAX header and cannot have one added without |
| 18 |
breaking. (eg. skype). |
| 19 |
|
| 20 |
3) XT_PAX markings. This is the new experimental way of doing the |
| 21 |
markings using xattrs for PaX markings. Currently, I'm using the name |
| 22 |
space "user.pax" so as to allow users to mark their own binaries, but |
| 23 |
this may change to "security.pax" depending on what direction upstream |
| 24 |
(ie pipacs) wants to go. The advantage here is that the ELF binary is |
| 25 |
not mangled in any way since the xattrs live in the inodes not the |
| 26 |
blocks. The disadvantage is that xattrs is not supported on all |
| 27 |
filesystems and in all our utilities we need for portage to work. I'm |
| 28 |
working to get xattrs supported where we need it. This will also help |
| 29 |
with supporting other features like ACL and CAPS. To this end: |
| 30 |
|
| 31 |
a) There is a patch against tar to support xattrs based on a Fedora's |
| 32 |
patch. [3] |
| 33 |
b) Kernels 3.0 and above support xattrs in tmpfs, squashfs and other |
| 34 |
filesystems. |
| 35 |
c) Python 3.3 and above support os.getxattr and os.setxattr and zmedico |
| 36 |
and Arfrever have patched portage to copy xattrs from ${D} to ${ROOT}. |
| 37 |
d) There's probably more .... feedback welcome! |
| 38 |
|
| 39 |
|
| 40 |
I've built two test systems, amd64 and x86, and so far so go. |
| 41 |
Prometheanfire tested too and help find some snags. If anyone is |
| 42 |
interested, I've got a HOWTO on converting any gentoo system to a *pure* |
| 43 |
XT_PAX hardened system [4], ie one with *no* EI_PAX or PT_PAX. This |
| 44 |
will not be the final situation where we will have backwards compat with |
| 45 |
PT_PAX but not EI_PAX. However, for testing it will force any issues |
| 46 |
with XT_PAX to the foreground. |
| 47 |
|
| 48 |
Since many of you know more about the internals of Gentoo than I, I |
| 49 |
would appreciate any suggestions regarding what I might be missing if we |
| 50 |
eventually migrate in this direction. |
| 51 |
|
| 52 |
|
| 53 |
References: |
| 54 |
|
| 55 |
[1] https://bugs.gentoo.org/show_bug.cgi?id=387459 |
| 56 |
|
| 57 |
[2] As of this writing, PT_PAX support is provided by patch |
| 58 |
63_all_binutils-2.21.1-pt-pax-flags-20110918.patch which can be |
| 59 |
obtained from the patch bundles found at |
| 60 |
http://dev.gentoo.org/~vapier/dist/ among other places. |
| 61 |
|
| 62 |
[3] https://bugs.gentoo.org/show_bug.cgi?id=382067 |
| 63 |
|
| 64 |
[4] |
| 65 |
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=blob;f=HOWTO.txt;h=9edc600f0d81d5e77c6cd7e961a05b56f51b51ec;hb=f4d0da5dcaf12e4b9a70c1d2528becf649b1de61 |
| 66 |
|
| 67 |
-- |
| 68 |
Anthony G. Basile, Ph.D. |
| 69 |
Gentoo Linux Developer [Hardened] |
| 70 |
E-Mail : blueness@g.o |
| 71 |
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 |
| 72 |
GnuPG ID : D0455535 |
Archives